OCSF: What It Is and Why It Changes Everything for Detection Teams

The Data Normalization Problem

Every security tool speaks a different language. Splunk events look nothing like CrowdStrike telemetry. Zeek logs have a completely different schema from Windows Event Logs. When you're trying to correlate data across sources — which is exactly what threat hunting requires — you spend more time translating data than analysing it.

This is the problem OCSF (Open Cybersecurity Schema Framework) was built to solve.

What OCSF Actually Is

OCSF is an open standard — originally developed by AWS, Splunk, and a coalition of security vendors — that defines a common schema for security events. Instead of each tool defining its own field names and data structures, OCSF provides a universal taxonomy.

A network connection event from CrowdStrike, a network connection event from Zeek, and a network connection event from a firewall all map to the same OCSF class with the same field names. src_endpoint.ip is always src_endpoint.ip, regardless of source.

Why This Matters for Hunt Teams

The practical implications for threat hunting are significant:

Portable queries. A query written against OCSF-normalized data works regardless of what data source you're querying. You write it once; it runs everywhere.

Cross-source correlation. Correlating a process creation event from an EDR with a network connection event from a NDR becomes straightforward when both use the same schema.

Durable playbooks. Hunting playbooks written against OCSF remain valid even when you swap data sources. You're not rewriting playbooks every time you change vendors.

Shared detection content. Teams can share detection logic and hunting queries without requiring the recipient to have the same tooling stack.

The Adoption Curve

OCSF is gaining momentum fast. Amazon Security Lake natively uses OCSF. Microsoft, Palo Alto Networks, IBM, and dozens of other vendors have committed to OCSF support. The trajectory is clear: OCSF is becoming the lingua franca of security telemetry.

Building on OCSF now isn't just good practice — it's future-proofing. Any detection content, hunting query, or playbook built on OCSF will remain relevant as the ecosystem matures.

It's why Vel is built on OCSF from the ground up. Not because it's trendy, but because it's the right foundation for detection and hunting work that lasts.